With one in three cyber-attacks now involving compromised employee accounts, insurers and regulators are placing far greater emphasis on identity posture when assessing cyber risk.
For many organizations, however, these assessments remain largely opaque. Elements such as password hygiene, privileged access management, and the extent of multi-factor authentication (MFA) coverage are increasingly influential in how cyber risk and insurance costs are evaluated.
Understanding the identity-centric factors behind these assessments is critical for organizations seeking to demonstrate lower risk exposure and secure more favorable insurance terms.
Why identity posture now drives underwriting
With the global average cost of a data breach reaching $4.4 million in 2025, more organizations are turning to cyber insurance to manage financial exposure. In the UK, coverage has increased from 37% in 2023 to 45% in 2025, but rising claims volumes are prompting insurers to tighten underwriting requirements.
Credential compromise remains one of the most reliable ways for attackers to gain access, escalate privileges, and persist within an environment. For insurers, strong identity controls reduce the likelihood that a single compromised account can lead to widespread disruption or data loss, supporting more sustainable underwriting decisions.
What insurers want to see in identity security
Password hygiene and credential exposure
Despite the growing use of multi-factor authentication and passwordless initiatives, passwords still play a key role in authentication. Organizations should pay particular attention to the behaviors and issues that increase the risk of credential theft and abuse, including:
- Password reuse across identities, particularly among administrative or service accounts, increases the likelihood that one stolen credential leads to broader access.
- Legacy authentication protocols are still common in networks and frequently abused to harvest credentials. NTLM persists in many environments despite being functionally replaced by Kerberos in Windows 2000.
- Dormant accounts with valid credentials, which act as unmonitored entry points and often retain unnecessary access.
- Service accounts with never-expiring passwords, creating long-lived, low-visibility attack paths.
- Shared administrative credentials, reduce accountability and amplify the impact of compromise.
From an underwriting perspective, evidence that an organization understands and actively manages these risks is often more important than the presence of individual technical controls. Regular audits of password hygiene and credential exposure help demonstrate maturity and intent to reduce identity-driven risk.
Privileged access management
Privileged access management is a critical measure of an organization’s ability to prevent and mitigate breaches. Privileged accounts can have high-level access to systems and data, but are frequently over-permissioned. As a result, insurers pay close attention to how these accounts are governed.
Service accounts, cloud administrators, and delegated privileges outside central monitoring significantly elevate risk. This is especially true when they operate without MFA or logging.
Excessive membership in Domain Admin or Global Administrator roles and overlapping administrative scopes all suggest that privilege escalation would be both rapid and difficult to contain.
Poorly governed or unknown privileged access is typically viewed as higher risk than a small number of tightly controlled administrators. Security teams can use tools such as Specops Password Auditor to identify stale, inactive, or over-privileged administrative accounts and prioritize remediation before those credentials are abused.
 |
| Specops Password Auditor – Dashboard |
When determining the likelihood of a damaging breach, the question is straightforward: if an attacker compromises a single account, how quickly can they become an administrator? Where the answer is “immediately” or “with minimal effort,” premiums tend to reflect that exposure.
MFA coverage
Most organizations can credibly state that MFA has been deployed. However, MFA only meaningfully reduces risk when it is consistently enforced across all critical systems and accounts. In one documented case, the City of Hamilton was denied an $18 million cyber insurance payout after a ransomware attack because MFA had not been fully implemented across affected systems.
While MFA isn’t infallible, fatigue attacks first require valid account credentials and then depend on a user approving an unfamiliar authentication request, an outcome that is far from guaranteed.
Meanwhile, accounts that authenticate via older protocols, non-interactive service accounts, or privileged roles exempted for convenience all offer viable bypass paths once initial access is achieved.
That’s why insurers increasingly require MFA for all privileged accounts, as well as for email and remote access. Organizations that neglect it may face higher premiums.
Four steps to improve your identity cyber score
There are many ways organizations can improve identity security, but insurers look for evidence of progress in a few key areas:
- Eliminate weak and shared passwords: Enforce minimum password standards and reduce password reuse, particularly for administrative and service accounts. Strong password hygiene limits the impact of credential theft and reduces the risk of lateral movement following initial access.
- Apply MFA across all critical access paths: Ensure MFA is enforced on remote access, cloud applications, VPNs, and all privileged accounts. Insurers increasingly expect MFA coverage to be comprehensive rather than selectively applied.
- Reduce permanent privileged access: Limit permanent administrative rights wherever practical and adopt just-in-time or time-bound access for elevated tasks. Fewer always-on privileged accounts directly reduce the impact of credential compromise.
- Regularly review and certify access: Conduct routine reviews of user and privileged permissions to ensure they align with current roles. Stale access and orphaned accounts are common red flags in insurance assessments.
Insurers increasingly expect organizations to demonstrate not only that identity controls exist, but that they are actively monitored and improved over time.
Specops Password Auditor supports this by providing clear visibility into password exposure within Active Directory and enforcing controls that reduce credential-based risk.
To understand how these controls can be applied in your environment and aligned with insurer expectations, speak with a Specops expert or request a live demo.
